Enable audit logging
ECE ECK Elastic Cloud Hosted Self Managed Serverless Unavailable
Audit logs are only available on certain subscription levels.
You can log security-related events such as authentication failures and refused connections to monitor your cluster for suspicious activity (including data access authorization and user security configuration changes). Audit logging can be enabled independently for Elasticsearch and Kibana.
This section describes how to enable and configure audit logging in both Elasticsearch and Kibana for all supported deployment types, including self-managed clusters, Elastic Cloud Hosted, Elastic Cloud Enterprise (ECE), and Elastic Cloud on Kubernetes (ECK).
In orchestrated deployments, audit logs must be shipped to a monitoring deployment; otherwise, they remain at container level and won't be accessible to users. For details on configuring log forwarding in orchestrated environments, refer to logging configuration.
When audit logging is enabled, security events are persisted to a dedicated <clustername>_audit.json file on the host’s file system, on every cluster node. For more information, refer to Elasticsearch logfile audit output.
To enable Elasticsearch or Kibana audit logs, configure xpack.security.audit.enabled to true in all Elasticsearch or Kibana nodes, then restart the nodes to apply the changes. For detailed instructions, select your deployment type:
Audit logs are disabled by default and must be explicitly enabled.
To enable audit logging in Elasticsearch:
- In all nodes, set
xpack.security.audit.enabledtotrueinelasticsearch.yml. - Restart the cluster by following the rolling restart procedure.
To enable audit logging in Kibana:
- Set
xpack.security.audit.enabledtotrueinkibana.yml. - Restart Kibana.
To enable audit logging in an Elastic Cloud Hosted deployment:
Log in to the Elastic Cloud Console.
Find your deployment on the home page in the Hosted deployments card and select Manage to access it directly. Or, select Hosted deployments to go to the Deployments page to view all of your deployments.
From your deployment menu, go to the Edit page.
To enable auditing for Elasticsearch:
- In the Elasticsearch section, select Manage user settings and extensions. For deployments with existing user settings, you may have to expand the Edit elasticsearch.yml caret for each node instead.
- Add the setting
xpack.security.audit.enabled: true.
To enable auditing for Kibana:
- In the Kibana section, select Edit user settings. For deployments with existing user settings, you may have to expand the Edit kibana.yml caret instead.
- Add the setting
xpack.security.audit.enabled: true.
Select Save changes.
A plan change will run on your deployment. When it finishes, audit logs will be delivered to your monitoring deployment.
To enable audit logging in an ECE deployment:
On the Deployments page, select your deployment.
From your deployment menu, go to the Edit page.
To enable auditing for Elasticsearch:
- In the Elasticsearch section, select Edit user settings and plugins. For deployments with existing user settings, you may have to expand the Edit elasticsearch.yml caret for the first node instead.
- Add the setting
xpack.security.audit.enabled: true.
To enable auditing for Kibana:
- In the Kibana section, select Edit user settings. For deployments with existing user settings, you may have to expand the Edit kibana.yml caret instead.
- Add the setting
xpack.security.audit.enabled: true. - If your Elastic Stack version is below 7.6.0, add the setting
logging.quiet: false.
Select Save.
A plan change will run on your deployment. When it finishes, audit logs will be delivered to your monitoring deployment.
To enable audit logging in an ECK-managed cluster, add xpack.security.audit.enabled: true to the config section of each Elasticsearch nodeSet and to the config section of the Kibana object's specification.
The following example shows this configuration, along with together with logs and metrics delivery towards a remote cluster:
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
spec:
monitoring:
metrics:
elasticsearchRefs:
- name: monitoring
namespace: observability
logs:
elasticsearchRefs:
- name: monitoring
namespace: observability
nodeSets:
- name: default
config:
xpack.security.audit.enabled: true
---
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
spec:
monitoring:
metrics:
elasticsearchRefs:
- name: monitoring
namespace: observability
logs:
elasticsearchRefs:
- name: monitoring
namespace: observability
config:
xpack.security.audit.enabled: true
When enabled, audit logs are collected and shipped to the monitoring cluster referenced in the monitoring.logs section. If monitoring is not enabled, audit logs will only be visible at container level.
You can configure additional options to control what events are logged and what information is included in the audit log. For more information, refer to Configure audit logging.